HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48055Published Modified CNA GitHub_M

CVE-2026-48055: Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction

Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing a malicious archive to perform path traversal and write arbitrary files to the host filesystem. The subtitle extraction process downloads a ZIP archive and extracts its entries. The destination file path is constructed by concatenating the raw archive entry name (extracted.name) directly to the temporary directory path. If a malicious ZIP archive containing directory traversal sequences is processed, it escapes the temporary directory boundaries. The application then writes the extracted payload anywhere on the host filesystem subject to the application's current write permissions. This issue has been fixed in version 2.5.0.

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary file write vulnerability (commonly called "Zip Slip") affects Streambert versions 2.4.0 and earlier, an Electron-based desktop app for streaming and downloading video media. The flaw is reachable over the network with no authentication required: when Streambert extracts a subtitle ZIP archive, it builds the output file path directly from the raw archive entry name without sanitizing path traversal sequences, so a malicious archive can write files anywhere on the host filesystem the process has permission to reach. Successful exploitation lets an attacker overwrite or plant arbitrary files, which can lead to persistent code execution or destruction of data on the host. No fix version has been published upstream yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-48055 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Streambert or vendor it as a dependency.

Available
Triage

Triage is available using the CVSS v3.1 base score of 10.0 (Critical), weighted against each customer environment's compliance policy to determine urgency and route alerts to the appropriate team inbox within each organization.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the fix version the moment upstream ships a release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerability is triggered over the network: an attacker must be able to serve or inject a malicious subtitle ZIP archive that the Streambert application fetches and attempts to extract.

  • AuthenticationNot required

    No credentials or account privileges are required; any party able to supply a crafted archive to the application can trigger the path traversal write.

  • Victim interactionNot required

    No user interaction beyond normal application use is required; the extraction is handled automatically by Streambert's subtitle download logic.

  • Attack complexityDetail

    Attack complexity is low: the exploit is reliable and condition-free, requiring only a ZIP archive with crafted path traversal sequences in entry filenames.

Blast Radius

  • Writes arbitrary files to any path on the host filesystem that the Streambert process has permission to reach, including application binaries, shell startup scripts, or cron jobs.
  • Overwrites existing files, corrupting configuration, application data, or OS components depending on the process's privilege level.
  • Plants new executable payloads (such as scripts or binaries in auto-run locations) that persist across restarts and can achieve code execution outside the Streambert process.
  • Crashes or permanently disables dependent services by overwriting files those services rely on, causing sustained availability loss.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-48055 at this time, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment Streambert 2.5.0 or a later remediated release is published upstream. In the interim, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict which hosts Streambert instances can reach for subtitle downloads, egress filtering to allowlist only trusted subtitle sources, and feature-flag or entrypoint gating to disable subtitle extraction entirely in images where that capability is not required. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual steps once the upstream fix is available. Where compliance policy permits, teams are encouraged to enable those options now so remediation is immediate when the patch ships.

See how HarborGuard automates this
Affected packages
  • truelockmc / streambert
    < 2.5.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
References